[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1002014: marked as done (debian-edu-config: Kerberos host principals change far too often)

Your message dated Wed, 29 Dec 2021 17:33:29 +0000
with message-id <E1n2cpN-000IRn-U6@fasolo.debian.org>
and subject line Bug#1002014: fixed in debian-edu-config 2.12.15
has caused the Debian Bug report #1002014,
regarding debian-edu-config: Kerberos host principals change far too often
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

1002014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002014
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debian-edu-config
Version: 2.12.14
Severity: important

Currently, with every edit operation on a GOsa² system, the Host (and nfs) Principal(s) of that host get updated (changed). This is especially problematic if you use krb5i based NFS acrosse a school site from various workstations.

The problem is that whever some admin edits a host in GOsa², this host will loose NFS connectivity to /srv/nfs/home0 until the /etc/krb5.keytab has been updated on that client host. This is hardly maintainable.

The underlying reason is in the gosa-modify-host hook script. The scripts runs add_principal for host/<client> and nfs/<client> after every save operation on a GOsa² system. We need to check here, if those Kerberos principals already exist and only if not, then add those principals.

This has been discussed with Wolfgang Schweer on IRC...

22:03 < sunweaver> as mentioned yesterday, I played with krb5i and diskless workstation quite a bit yesterday. 22:03 < sunweaver> I basically managed to get a Debian Edu 10 and 11 DLW (diskless workstation) running against a Debian Edu 11 TJENER.
22:03 < sunweaver> However...
22:04 < sunweaver> Whenever I edit either the client or the TJENER in GOsa, the principal gets updated in krb5-ldap and my krb5.keytab becomes invalid.
22:05 < schweer> hm, then the keytab needs to be updated, too.
22:05 < sunweaver> This is happening in gosa-modify-host which simply runs an add_principal for that host.
22:05 < schweer> yes.
22:05 < sunweaver> I was wondering, if this gosa-modify-host way-of-doing-things is intentional.
22:05 < schweer> yes, intentional, but obviously suboptimal
22:05 < sunweaver> because, I'd rather check if the host (and nfs) principals exist in krb5-ldap and only create them if they don't exist.
22:06 < schweer> good idea
22:06 < sunweaver> because then, the principals won't change that often as they do now.
22:06 < sunweaver> and krb5.keytab files stay valid
22:06 < sunweaver> I'll propose a patch, then.
22:07 < schweer> feel free to improve gosa-modify-host
22:07 < sunweaver> will do, np.
22:07 < schweer> just commit that change
22:07 < sunweaver> (you provided great work, however, I'll do a little QA over the next couple of days, if ok).
22:08 < schweer> very appreciated

I'll propose a patch for this which then will require to be integrated in next Debian 11 point release.


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpgm_hWArwSd.pgp
Description: Digitale PGP-Signatur

--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.12.15
Done: Holger Levsen <holger@debian.org>

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1002014@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Wed, 29 Dec 2021 18:15:27 +0100
Source: debian-edu-config
Architecture: source
Version: 2.12.15
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 1002014
 debian-edu-config (2.12.15) unstable; urgency=medium
   [ Mike Gabriel ]
   * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
     principals if they don't yet exist. (Closes: #1002014).
   * share/d-e-c/tools/copy-host-keytab: Restart nfs-common/rpc-gssd after
     having copied over /etc/krb5.keytab. This avoids rebooting for applying
     the copied over changes.
   * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
   [ lintian-brush ]
   * Add missing build dependency on dh addon.
 1928b35bf1d4e8dec1d80a0af6e6e9149afc9d88 2026 debian-edu-config_2.12.15.dsc
 6f05009d0bc49f4d116d8129d25bed0464027526 346728 debian-edu-config_2.12.15.tar.xz
 1fb011efed5c41064a012c5c14bc14e1aede1d17 5302 debian-edu-config_2.12.15_source.buildinfo
 eb6318157dc08e600418f4cc7cabdf1b92c4f689bdbd540ae3e97fac70ef5d8c 2026 debian-edu-config_2.12.15.dsc
 dbce00830f808c4da2584e695c97e00853fa3cb3fbb836616837501b73b640f8 346728 debian-edu-config_2.12.15.tar.xz
 762d9fb7b1d876f75935547ddfc4ff15c6f42029985a95c1f31adb5bf311b864 5302 debian-edu-config_2.12.15_source.buildinfo
 3b34e51c31ad3a736e963d63d88e0d73 2026 misc optional debian-edu-config_2.12.15.dsc
 27cc2968fc504830188052e301363192 346728 misc optional debian-edu-config_2.12.15.tar.xz
 b0bf2504377dd4dd6a2e6140c66923ee 5302 misc optional debian-edu-config_2.12.15_source.buildinfo



--- End Message ---

Reply to: